IE default page problem

ok so i got this dialer thing that keeps popping up the second i get on the net,so i get spybot s&d and also bhodemon and hijackthis. upon using hijackthis i notice a certain ~snip 213.159.117.134/index.php~snip something i had linked to a certain dialer that wont stop popping up. i had blocked this page with nortons and IE and yet everytime i opened up IE it went right back to this 213.159 page and when this page is loaded it downloads a file and changes your registry, and when this happened my nortons came up with a trojan/virus warning and i deleted the files(it downloaded 2 automatically) so i blocked these certain files and now when i load IE it still goes to that 213.159.117.134/index.php (aka cool web search as it titles itself) so i use hijack this to fix this and it says it changes but everytime i scan again its still there and my IE default page is the same(yes i tryed to change the default page through IE settings, it just doesnt do it something overwrites it), and i can find no leads to how to stop this WebDialer to pop up everytime i get on the net. so if anyone knows anything about this plz help here is the problem lines in my hijackthis



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 213.159.117.134/index.phpoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 213.159.117.134/index.php

thankyou,
ryan

 

I think you have been hit by a spyware called: CWS

 

I'm not sure he's coming back.

 

CWS is very lethal.

 

He has not given permission for us to see his email address either.

Jimbob

 

I got something similar to CWS. To get here without reloading viruses I pressed furiously on 'esc'. My virus removal software has scanned 3 times today, Ad-aware is going for the second time now - with deep level options.
If you don't see me anymore then I lost you or met my destiny. My plan is to search for the string hxxp: //213.159.117.134/index.php in the registry once the virusscan and the spyware scan is done. And second to delete änything that points to that string (or address). Wish me luck. The spyware scanning found this....
Vendorossible Browser Hijack attempt
Category:Misc
Object Type:File
Size:77 Bytes
Location:c:\windows\favorites\imported bookmarks\search\looksmart.url
Last Activity:11.11.2004 22:00:00
Risk LevelLow
Comment:Item referrs to blacklisted
Site:hxxp:// home.netscape.com/bookmark/4_73/looksmart.html
Descriptionossible attempt to control\redirect the browser. This object
referrs to a "blacklisted" site.

see you again soon

 

DO NOT FOLLOW THE LINK

I'm still struggling. But dont follow the links in the previous post. They WILL infect your computer too... sorry.

 

Solution found

There was a file \system\systime.exe that I removed after restarting my computer in "Safe Mode".
After that I looked for the "213.159.117.134" string in registry positions (Software\Microsoft\Internet Explorer\Main) that appear for Current User,
Local Machine and Users. Removed entries with them (and some other
garbage that I gould identify - most likely from previous attacks).
The an exit of the registry and reboot. Explorer appeared cleaner than it should. The homepage needed to be set by adding the Homepage in Internet Explorer properties. Right Click on the Explorer icon on the desktop.

System seems ok now.

Next take a jump to IE Internet settings and add this to the untrusted domains in the security tab.

 

Hi Jumpe4, and welcome to Wilders.

It sounds like you have it a bit more under control, but to ensure your computer is completely clean you may want to follow the steps listed here:
General Cleaning Instructions. Then follow-up with posting a HijackThis log at one of the sites that do HijackThis log analysis.

Edit - A bit about the file systime.exe: Sophos - Troj/StartPa-CR It is a CoolWebSearch parasite variant.

Regards,

snap